Is is possible to use ClojureScript with CSP headers? It seems to demand “unsafe-eval” permission
Are you deploying a development artifact, by any chance? Or maybe your code uses js/eval?
What exactly in your compiled code requires that permission?
SHADOW_ENV.evalLoad("goog.debug.error.js",true, "goog.loadMo...a bunch of stuff is calling goog.globalEval
unfortunately the whole module is in one line
SHADOW_ENV.evalLoad("goog.dom.nodetype.js", true, "goog.provide
also failsand so on
That's a development build. Why are you deploying a development build?
I am not, but I am testing all the same
let me check release build
hm same thing
Can you share a screenshot with the error?
I get about 10 of these:
the lines at the base correspond to these load lines:
:recipe-components-release {:target :browser
:output-dir "target/js"
:asset-path "/js"
:modules {:recipe-widgets {:entries [roklenarcic.cookery.docs.recipe-widgets]}}
:compiler-options {:optimizations :advanced
:infer-externs :auto}}this is the build
in the shadow-cljs.edn
I don't know what else to tell you, these are all from a dev build.
There should be no SHADOW_ENV in the production build at all.
Got my CSP in meta element:
<meta content="default-src 'none';style-src 'nonce-AAABmL0jbAr1aXc5H2iN5oR1G5YAY8EFe4jdA-BmjK8' ;font-src 'self' ;script-src 'sha256-C9Pc74x5BP660fRg4HJ6AmFM9IpoprZO7TSDFKmjYzw=' 'nonce-AAABmL0jbAr1aXc5H2iN5oR1G5YAY8EFe4jdA-BmjK8';connect-src :*" http-equiv="Content-Security-Policy"> I ran shadow-cljs compile recipe-components-release
ok running shadow-cljs release recipe-components-release
Ah I see, release is a different process, I thought that release build just means advanced optimizations
yeah now that’s gone, thanks
I guess I need to make provisions to include unsafe-eval for dev
But why would you deploy a dev build in the first place? It's giant, it's slow. If you need better debugging experience, just make sure you have source maps and enable pseudo names in the build options.
I don’t deploy it, I just open the generated HTML page
Opening a local HTML page as a file brings its own limitations, so you should probably use a local web server. And when using anything local that you control, there's no point in CSP at all.
FWIW you do not usually need a dedicated release build. and those :compiler-options in the build config above are the default. so setting them does nothing, might as well remove them 😉